GPG Sign the binary releases #1130
Labels
No Label
bug
build
dependencies
developers
documentation
duplicate
enhancement
formatting
invalid
legal
mobile
obsolete
packaging
performance
protocol
question
refactoring
regression
security
test
translation
usability
wontfix
No Milestone
No project
No Assignees
1 Participants
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: Bitmessage/PyBitmessage-2025-01-17#1130
Loading…
Reference in New Issue
Block a user
No description provided.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
There is currently no way to verify that the released binary packages are in fact released by the developer. One way to do this is to sign the packages with GNUPG/PGP. There is an automated script to do this for github users, here: https://github.com/NicoHood/gpgit
Doing so helps prevent MITM attacks/malware from spreading. Thank you.
Agreed. Please can you do this @PeterSurda ?
Actually I do GPG sign the binary executables. There are at the moment no binary executables for 0.6.3, 0.6.3.1 and 0.6.3.2 so there is nothing to sign.
Since 0.6.2 I also obtained a code signing certificate that is recognised by both Windows and OSX. I haven't figured out how to sign OSX binaries though yet.
@PeterSurda thanks for signing! I was able to get the .asc files for the binaries for v0.6.3.2 from the releases page. I was kind of confused, because the website is currently still serving up the vulnerable version without the sig. I would have helped fix that issue myself but there appears to be no way to register on the wiki to change the links around.
https://www.bitmessage.org/wiki/Main_Page
The bitmessage.org website links to 0.6.1, which isn't vulnerable. Maybe it should be bumped to 0.6.3.2 though. And the signatures are available on the github release page. The wiki registrations were disabled due to spam and noone had the time to fix it properly yet.
I'm not sure if there is or was anything to do, maybe there was some confusion. If you don't want me to close this, please elaborate.
It can be closed, I would just recommend putting the signature on the wiki page as it's the first thing people see. Helps people find it easier.
Adjusted wiki code:
Also if it's not too much to ask, the source (.tar.gz) file is unsigned. This would need to be signed as well for Arch Linux to include a sig check in the PKGBUILD.
@Jeroentetje3 I'm having some mail issues on one server, peter@bitmessage.at is probably the best way to reach me.